Skip to content

Commit

Permalink
Merge pull request #20 from camptocamp/rm-snyk
Browse files Browse the repository at this point in the history
Remove Snyk
  • Loading branch information
sbrunner authored Nov 20, 2024
2 parents c5bf58f + 54970eb commit ffc9660
Show file tree
Hide file tree
Showing 7 changed files with 1 addition and 229 deletions.
7 changes: 0 additions & 7 deletions .github/workflows/main.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,13 +63,6 @@ jobs:
with:
fetch-depth: 0

- uses: camptocamp/initialise-gopass-summon-action@v2
with:
ci-gpg-private-key: ${{secrets.CI_GPG_PRIVATE_KEY}}
github-gopass-ci-token: ${{secrets.GOPASS_CI_GITHUB_TOKEN}}
patterns: pypi
if: env.HAS_SECRETS == 'HAS_SECRETS'

- uses: actions/setup-python@v5
with:
python-version: '3.13'
Expand Down
11 changes: 0 additions & 11 deletions config.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,17 +32,6 @@ _Tag Publish configuration file_
- **`versions`** _(array)_: The kind or version that should be published, tag, branch or value of the --version argument of the tag-publish script. Default: `["version_tag", "version_branch", "rebuild", "feature_branch"]`.
- **Items** _(string)_
- **`auto_login`** _(boolean)_: Auto login to the GitHub Docker registry. Default: `false`.
- **`snyk`** _(object)_: Checks the published images with Snyk.
- **`monitor_args`**: The arguments to pass to the Snyk container monitor command. Default: `["--app-vulns"]`.
- **One of**
- _array_
- **Items** _(string)_
- : Must be: `false`.
- **`test_args`**: The arguments to pass to the Snyk container test command. Default: `["--app-vulns", "--severity-threshold=critical"]`.
- **One of**
- _array_
- **Items** _(string)_
- : Must be: `false`.
- <a id="definitions/pypi"></a>**`pypi`** _(object)_: Configuration to publish on pypi.
- **`packages`** _(array)_: The configuration of packages that will be published.
- **Items** _(object)_: The configuration of package that will be published.
Expand Down
17 changes: 0 additions & 17 deletions tag_publish/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -279,23 +279,6 @@ def download_application(application_name: str, binary_filename: Optional[str] =
return binary_full_filename


def snyk_exec() -> tuple[str, dict[str, str]]:
"""Get the Snyk cli executable path."""
env = {**os.environ}
env["FORCE_COLOR"] = "true"

snyk_bin = download_application("snyk/cli", "snyk")

if "SNYK_TOKEN" not in env:
env["SNYK_TOKEN"] = subprocess.run(
["gopass", "show", "gs/ci/snyk/token"], check=True, stdout=subprocess.PIPE, encoding="utf-8"
).stdout.strip()
if "SNYK_ORG" in env:
subprocess.run([snyk_bin, "config", "set", f"org={env['SNYK_ORG']}"], check=True, env=env)

return snyk_bin, env


class PublishedPayload(TypedDict, total=False):
"""
The payload to send to the dispatch event.
Expand Down
72 changes: 0 additions & 72 deletions tag_publish/cli.py
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,6 @@ def main() -> None:
"--docker-versions",
help="The versions to publish on Docker registry, comma separated, ex: 'x,x.y,x.y.z,latest'.",
)
parser.add_argument("--snyk-version", help="The version to publish to Snyk")
parser.add_argument("--branch", help="The branch from which to compute the version")
parser.add_argument("--tag", help="The tag from which to compute the version")
parser.add_argument("--dry-run", action="store_true", help="Don't do the publish")
Expand Down Expand Up @@ -190,7 +189,6 @@ def main() -> None:
args.group,
args.dry_run,
args.docker_versions,
args.snyk_version,
config,
version,
version_type,
Expand Down Expand Up @@ -295,7 +293,6 @@ def _handle_docker_publish(
group: str,
dry_run: bool,
docker_versions: str,
snyk_version: str,
config: tag_publish.configuration.Configuration,
version: str,
version_type: str,
Expand Down Expand Up @@ -358,33 +355,13 @@ def _handle_docker_publish(

images_src: set[str] = set()
images_full: list[str] = []
images_snyk: set[str] = set()
versions = docker_versions.split(",") if docker_versions else [version]
for image_conf in docker_config.get("images", []):
if image_conf.get("group", tag_publish.configuration.DOCKER_IMAGE_GROUP_DEFAULT) == group:
for tag_config in image_conf.get("tags", tag_publish.configuration.DOCKER_IMAGE_TAGS_DEFAULT):
tag_src = tag_config.format(version="latest")
image_source = f"{image_conf['name']}:{tag_src}"
images_src.add(image_source)
tag_snyk = tag_config.format(version=snyk_version or version).lower()
image_snyk = f"{image_conf['name']}:{tag_snyk}"

# Workaround sine we have the business plan
image_snyk = f"{image_conf['name']}_{tag_snyk}"

if not dry_run:
subprocess.run(["docker", "tag", image_source, image_snyk], check=True)
images_snyk.add(image_snyk)
if tag_snyk != tag_src and not dry_run:
subprocess.run(
[
"docker",
"tag",
image_source,
f"{image_conf['name']}:{tag_snyk}",
],
check=True,
)

for name, conf in docker_config.get(
"repository",
Expand Down Expand Up @@ -423,55 +400,6 @@ def _handle_docker_publish(
if dry_run:
sys.exit(0)

try:
has_gopass = subprocess.run(["gopass", "--version"]).returncode == 0 # nosec # pylint: disable=subprocess-run-check
except FileNotFoundError:
has_gopass = False
if "SNYK_TOKEN" in os.environ or has_gopass:
snyk_exec, env = tag_publish.snyk_exec()
for image in images_snyk:
print(f"::group::Snyk check {image}")
sys.stdout.flush()
sys.stderr.flush()
try:
if version_type in ("version_branch", "version_tag"):
monitor_args = docker_config.get("snyk", {}).get(
"monitor_args",
tag_publish.configuration.DOCKER_SNYK_MONITOR_ARGS_DEFAULT,
)
if monitor_args is not False:
subprocess.run( # pylint: disable=subprocess-run-check
[
snyk_exec,
"container",
"monitor",
*monitor_args,
# Available only on the business plan
# f"--project-tags=tag={image.split(':')[-1]}",
image,
],
env=env,
)
test_args = docker_config.get("snyk", {}).get(
"test_args", tag_publish.configuration.DOCKER_SNYK_TEST_ARGS_DEFAULT
)
snyk_error = False
if test_args is not False:
proc = subprocess.run(
[snyk_exec, "container", "test", *test_args, image],
check=False,
env=env,
)
if proc.returncode != 0:
snyk_error = True
print("::endgroup::")
if snyk_error:
print("::error::Critical vulnerability found by Snyk in the published image.")
except subprocess.CalledProcessError as exception:
print(f"Error: {exception}")
print("::endgroup::")
print("::error::With error")

versions_config, dpkg_config_found = tag_publish.lib.docker.get_versions_config()
dpkg_success = True
for image in images_src:
Expand Down
88 changes: 1 addition & 87 deletions tag_publish/configuration.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Automatically generated file from a JSON schema.
"""

from typing import Any, Dict, List, Literal, TypedDict, Union
from typing import Any, Dict, List, TypedDict


class Configuration(TypedDict, total=False):
Expand Down Expand Up @@ -98,14 +98,6 @@ class Configuration(TypedDict, total=False):
""" Default value of the field path 'Docker repository versions' """


DOCKER_SNYK_MONITOR_ARGS_DEFAULT = ["--app-vulns"]
""" Default value of the field path 'Docker snyk monitor_args' """


DOCKER_SNYK_TEST_ARGS_DEFAULT = ["--app-vulns", "--severity-threshold=critical"]
""" Default value of the field path 'Docker snyk test_args' """


# | dispatch config.
# |
# | Send a dispatch event to an other repository
Expand Down Expand Up @@ -175,9 +167,6 @@ class Docker(TypedDict, total=False):
default: False
"""

snyk: "_DockerSnyk"
""" Checks the published images with Snyk """


class DockerImage(TypedDict, total=False):
"""Docker image."""
Expand Down Expand Up @@ -457,81 +446,6 @@ class Version(TypedDict, total=False):
"""


_DOCKER_SNYK_MONITOR_ARGS_ONEOF0_DEFAULT = ["--app-vulns"]
""" Default value of the field path 'Docker Snyk monitor args oneof0' """


_DOCKER_SNYK_MONITOR_ARGS_ONEOF1_DEFAULT = ["--app-vulns"]
""" Default value of the field path 'Docker Snyk monitor args oneof1' """


_DOCKER_SNYK_TEST_ARGS_ONEOF0_DEFAULT = ["--app-vulns", "--severity-threshold=critical"]
""" Default value of the field path 'Docker Snyk test args oneof0' """


_DOCKER_SNYK_TEST_ARGS_ONEOF1_DEFAULT = ["--app-vulns", "--severity-threshold=critical"]
""" Default value of the field path 'Docker Snyk test args oneof1' """


class _DockerSnyk(TypedDict, total=False):
"""Checks the published images with Snyk"""

monitor_args: Union["_DockerSnykMonitorArgsOneof0", "_DockerSnykMonitorArgsOneof1"]
"""
Docker Snyk monitor args.
The arguments to pass to the Snyk container monitor command
default:
- --app-vulns
Aggregation type: oneOf
"""

test_args: Union["_DockerSnykTestArgsOneof0", "_DockerSnykTestArgsOneof1"]
"""
Docker Snyk test args.
The arguments to pass to the Snyk container test command
default:
- --app-vulns
- --severity-threshold=critical
Aggregation type: oneOf
"""


_DockerSnykMonitorArgsOneof0 = List[str]
"""
default:
- --app-vulns
"""


_DockerSnykMonitorArgsOneof1 = Literal[False]
"""
default:
- --app-vulns
"""


_DockerSnykTestArgsOneof0 = List[str]
"""
default:
- --app-vulns
- --severity-threshold=critical
"""


_DockerSnykTestArgsOneof1 = Literal[False]
"""
default:
- --app-vulns
- --severity-threshold=critical
"""


_VersionTransformItem = TypedDict(
"_VersionTransformItem",
{
Expand Down
34 changes: 0 additions & 34 deletions tag_publish/schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -81,40 +81,6 @@
"description": "Auto login to the GitHub Docker registry",
"type": "boolean",
"default": false
},
"snyk": {
"description": "Checks the published images with Snyk",
"type": "object",
"properties": {
"monitor_args": {
"description": "The arguments to pass to the Snyk container monitor command",
"title": "Docker Snyk monitor args",
"default": ["--app-vulns"],
"oneOf": [
{
"type": "array",
"items": {
"type": "string"
}
},
{ "const": false }
]
},
"test_args": {
"description": "The arguments to pass to the Snyk container test command",
"title": "Docker Snyk test args",
"default": ["--app-vulns", "--severity-threshold=critical"],
"oneOf": [
{
"type": "array",
"items": {
"type": "string"
}
},
{ "const": false }
]
}
}
}
}
},
Expand Down
1 change: 0 additions & 1 deletion tag_publish/versions.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,2 @@
# https://docs.renovatebot.com/modules/datasource/#github-releases-datasource
helm/chart-releaser: v1.6.1 # github-releases
snyk/cli: v1.1293.1 # github-releases

0 comments on commit ffc9660

Please sign in to comment.